Contents

ACE Performance Numbers and Resource Limits

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

ACE Performance Numbers

Performance Measurement

ACE Module Maximum Value

ACE Appliance Maximum Value

Max number of 10/100 Mbps ports

Catalyst 6500 series switch or Cisco 7600 series router limit

4

Max number of Gigabit ports

Catalyst 6500 series switch or Cisco 7600 series router limit

4

Switching Capacity

Catalyst 6500 series switch or Cisco 7600 series router limit

4 Gbps

SLB L4 bps

4, 8, or 16 Gbps

1, 2, or 4 Gbps

SLB L4 Connections per Second (CPS)

325,000

120,000

SLB L7 Maximum CPS

133,000

40,000

Concurrent L4 Sessions

4,000,000

1,000,000

Concurrent L7 Sessions

512,000

128,000

Packets per Second (PPS)

4,000,000+

1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

SSL Bandwidth

3.3 Gbps

1 Gbps

SSL Transactions per Second (TPS)

15,000

7,500

Concurrent SSL Sessions

200,000

100,000

SLB-Related Limits

SLB-Related Object

ACE Module System Limit

ACE Module Context Limit

ACE Appliance Limit

Additional Information

ARP Entries

32,768

32,768

32,768

Bridge Table Entries

32,768

32,768

32,768

A few are reserved for L2 interafces, redundancy, and so on.

Bridge-Group Virtual Interfaces (BVIs)

4096

2048

512

Class Maps (L4 and L7)

8192

8192

8192

When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

Concurrent Conns L4 (Unproxied)

4,000,000

4,000,000

1,000,000

Concurrent Connections L7 (Proxied)

512,000

512,000

128,000

Domains

2,500

10 (9)

10 (9 per context)

One is used for the default domain.

Domain Objects

None

None

None

Any object within the virtual partition can be added to a domain.

Logical Interfaces

8,192

8,192

8,192

Matches Per VIP

1,024

1,024

1,024

A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

In ACE software version A2(x), probe sockets have been increased. Use the show resource internal socket command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

Sticky Groups

4,096

4,096

4,096

Sticky Table Entries

4,000,000

4,000,000

800,000

Virtual Contexts

251

N/A

21 (1 Admin context)

250 user contexts + 1 Admin context

Virtual Server Farms

4k (4094)

4k (4094)

1024

Virtual Servers (Same IP Addresses)

4k (4094)

4k (4094)

1024

No limit as on the CSM

Virtual Servers (Unique IP Addresses)

4k (4094)

4k (4094)

1024

No limit as on the CSM

VLANs

4,000 (2-4094)

4,000 (2-4094)

4,000 (2-4094)

BR>

Security-Related Limits

Security Related Object

ACE Module System Limit

ACE Module Context Limit

ACE Appliance Limit

Additional Information

ACLs

8,192

1,024 (practical limit)

8,192

ACL Entries

64,000

1,024 (practical limit)

40K

Static NAT Policies

4096

4096

4096

Dynamic NAT Policies

4096

4096

4096

Maximum of addresses in a NAT pool

64

64

32

Maximum of addresses in a PAT pool

63k

63k

63l

PAT Entries

4,000,000

4,000,000

1,000,000

Total NAT Pools

8,192

8,192

8,192

Xlates

1,000,000

1,000,000

64,000

Concurrent SSL Conns

100,000

100,000

100,000

Subset of L7 (proxied) connections

RSA key size

up to 2048 bits

up to 2048 bits

up to 2048 bits

Supported: 512, 786, 1536, 1024, & 2048 bits

Not supported: 3072 bits & 4096 bits

SSL Certs/Key files

3800/3800

3800/3800

3800/3800

This number is strictly enforced in A220, A214, and A322

Management-Related Limits

Management-Related Object

ACE Module System Limit

ACE Module Context Limit

ACE Appliance

Additional Information

AAA LDAP Servers

6,144

8 (24 total)

8

AAA RADIUS Servers

2K (256*8)

8 (24 total)

8

AAA TACACS+ Servers

6K (256*24)

8 (24 total)

8

Domains

2500

64 (63)

64 (63)

One domain is used for the default-domain and cannot be removed

Local Users

7500

30 (Admin context: 28)

31 (including admin, www, and dm)

Objects within a Domain

No limit

No limit

Any object within the virtual partition can be added to a domain

Resource-classes

252

Not applicable

100

Roles

4000

16 (8)

16 (8)

Eight are predefined and cannot be altered, leaving eight for you to customize